MicrosoftDocs
diff --git a/‎.openpublishing.redirection.iot-hub.json
Lines changed: 10 additions & 0 deletions b/‎.openpublishing.redirection.iot-hub.json
Lines changed: 10 additions & 0 deletions
diff --git a/‎.openpublishing.redirection.json
Lines changed: 11 additions & 1 deletion b/‎.openpublishing.redirection.json
Lines changed: 11 additions & 1 deletion
diff --git a/‎articles/active-directory-b2c/partner-eid-me.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory-b2c/partner-eid-me.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/app-provisioning/on-premises-migrate-microsoft-identity-manager.md
Lines changed: 15 additions & 8 deletions b/‎articles/active-directory/app-provisioning/on-premises-migrate-microsoft-identity-manager.md
Lines changed: 15 additions & 8 deletions
diff --git a/‎articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa-user-authentication.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa-user-authentication.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa-with-federation.md
Lines changed: 70 additions & 12 deletions b/‎articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa-with-federation.md
Lines changed: 70 additions & 12 deletions
@@ -1088,6 +1088,16 @@
       "redirect_url": "/azure/iot-hub/iot-hub-device-management-iot-toolkit",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/iot-hub/iot-hub-operations-monitoring.md",
+      "redirect_url": "/azure/iot-hub/monitor-iot-hub",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/iot-hub/iot-hub-migrate-to-diagnostics-settings.md",
+      "redirect_url": "/azure/iot-hub/monitor-iot-hub",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/iot-hub/iot-hub-protocol-gateway.md",
       "redirect_url": "/azure/iot-edge/iot-edge-as-gateway",
 
@@ -623,6 +623,11 @@
       "redirect_url": "/azure/azure-arc/kubernetes/",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/azure-arc/kubernetes/conceptual-agent-architecture.md",
+      "redirect_url": "/azure/azure-arc/kubernetes/conceptual-agent-overview",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/cognitive-services/whats-new-docs.md",
       "redirect_url": "/azure/cognitive-services/what-are-cognitive-services",
@@ -44213,7 +44218,12 @@
       "redirect_url": "/azure/governance/policy/samples",
       "redirect_document_id": false
     },
-   {
+    {
+      "source_path_from_root": "/articles/cognitive-services/QnAMaker/custom-question-answering.md",
+      "redirect_url": "/azure/cognitive-services/language-service/question-answering/overview",
+      "redirect_document_id": false
+    },
+    {
       "source_path_from_root": "/articles/openshift/howto-secure-openshift-with-front-door-feb-22.md",
       "redirect_url": "/azure/openshift/howto-secure-openshift-with-front-door",
       "redirect_document_id": false
 
@@ -101,7 +101,7 @@ To configure your tenant application as a Relying Party in eID-Me the following
 | Name                               | Azure AD B2C/your desired application name                                                                                                                                                                                                                                                                                                                                                                       |
 | Domain                             | name.onmicrosoft.com                                                                                                                                                                                                                                                                                                                                                                                             |
 | Redirect URIs                      | https://jwt.ms                                                                                                                                                                                                                                                                                                                                                                       |
-| Redirect URLs                      | https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp<br>For Example: `https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp`<br>If you use a custom domain, enter https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp.<br> Replace your-domain-name with your custom domain, and your-tenant-name with the name of your tenant. |
+| Redirect URLs                      | `https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp`<br>For Example: `https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp`<br>If you use a custom domain, enter https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp.<br> Replace your-domain-name with your custom domain, and your-tenant-name with the name of your tenant. |
 | URL for application home page      | Will be displayed to the end user                                                                                                                                                                                                                                                                                                                                                                                |
 | URL for application privacy policy | Will be displayed to the end user                                                                                                                                                                                                                                                                                                                                                                                |
 
@@ -300,7 +300,7 @@ There are additional identity claims that eID-Me supports and can be added.
 
 1. Open the `TrustFrameworksExtension.xml`
 
-2. Find the `BuildingBlocks` element.  This is where additional identity claims that eID-Me supports can be added. Full lists of supported eID-Me identity claims with descriptions are mentioned at [http://www.oid-info.com/get/1.3.6.1.4.1.50715](http://www.oid-info.com/get/1.3.6.1.4.1.50715) with the OIDC identifiers used here [https://eid-me.bluink.ca/.well-known/openid-configuration](https://eid-me.bluink.ca/.well-known/openid-configuration).
+2. Find the `BuildingBlocks` element.  This is where additional identity claims that eID-Me supports can be added. Full lists of supported eID-Me identity claims with descriptions are mentioned at `http://www.oid-info.com/get/1.3.6.1.4.1.50715` with the OIDC identifiers used here [https://eid-me.bluink.ca/.well-known/openid-configuration](https://eid-me.bluink.ca/.well-known/openid-configuration).
 
    ```xml
    <BuildingBlocks>
 
@@ -21,31 +21,38 @@ You can import into the Azure Active Directory (Azure AD) ECMA Connector Host a
 >[!IMPORTANT]
 >Currently, only the generic SQL and LDAP connectors are supported for use with the Azure AD ECMA Connector Host.
 
-## Create and export a connector configuration in MIM Sync
-If you already have MIM Sync with your ECMA connector configured, skip to step 10.
+## Create a connector configuration in MIM Sync
+This section is included for illustrative purposes, if you wish to set up MIM Sync with a connector. If you already have MIM Sync with your ECMA connector configured, skip to the next section.
 
  1. Prepare a Windows Server 2016 server, which is distinct from the server that will be used for running the Azure AD ECMA Connector Host. This host server should either have a SQL Server 2016 database colocated or have network connectivity to a SQL Server 2016 database. One way to set up this server is by deploying an Azure virtual machine with the image **SQL Server 2016 SP1 Standard on Windows Server 2016**. This server doesn't need internet connectivity other than remote desktop access for setup purposes.
  1. Create an account for use during the MIM Sync installation. It can be a local account on that Windows Server instance. To create a local account, open **Control Panel** > **User Accounts**, and add the user account **mimsync**.
  1. Add the account created in the previous step to the local Administrators group.
  1. Give the account created earlier the ability to run a service. Start **Local Security Policy** and select **Local Policies** > **User Rights Assignment** > **Log on as a service**. Add the account mentioned earlier.
- 1. Install MIM Sync on this host. If you don't have MIM Sync binaries, you can install an evaluation by downloading the zip file from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=48244), mounting the ISO image, and copying the folder **Synchronization Service** to the Windows Server host. Then run the setup program contained in that folder. Evaluation software is time limited and will expire. It isn't intended for production use.
+ 1. Install MIM Sync on this host.
  1. After the installation of MIM Sync is complete, sign out and sign back in.
- 1. Install your connector on the same server as MIM Sync. For illustration purposes, this test lab guide will illustrate using one of the Microsoft-supplied connectors for download from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=51495).
+ 1. Install your connector on the same server as MIM Sync. For illustration purposes, use either of the Microsoft-supplied SQL or LDAP connectors for download from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=51495).
  1. Start the Synchronization Service UI. Select **Management Agents**. Select **Create**, and specify the connector management agent. Be sure to select a connector management agent that's ECMA based.
  1. Give the connector a name, and configure the parameters needed to import and export data to the connector. Be sure to configure that the connector can import and export single-valued string attributes of a user or person object type.
+
+## Export a connector configuration from MIM Sync
+
  1. On the MIM Sync server computer, start the Synchronization Service UI, if it isn't already running. Select **Management Agents**.
  1. Select the connector, and select **Export Management Agent**. Save the XML file, and the DLL and related software for your connector, to the Windows server that will be holding the ECMA Connector Host.
 
 At this point, the MIM Sync server is no longer needed.
 
- 1. Sign in to the Windows server as the account that the Azure AD ECMA Connector Host will run as.
+## Import a connector configuration
+
+ 1. Install the ECMA Connector host and provisioning agent on a Windows Server, using the [provisioning users into SQL based applications](on-premises-sql-connector-configure.md#download-install-and-configure-the-azure-ad-connect-provisioning-agent-package) or [provisioning users into LDAP directories](on-premises-ldap-connector-configure.md#download-install-and-configure-the-azure-ad-connect-provisioning-agent-package) articles.
+ 1. Sign in to the Windows server as the account that the Azure AD ECMA Connector Host runs as.
  1. Change to the directory C:\Program Files\Microsoft ECMA2host\Service\ECMA. Ensure there are one or more DLLs already present in that directory. Those DLLs correspond to Microsoft-delivered connectors.
  1. Copy the MA DLL for your connector, and any of its prerequisite DLLs, to that same ECMA subdirectory of the Service directory.
  1. Change to the directory C:\Program Files\Microsoft ECMA2Host\Wizard. Run the program Microsoft.ECMA2Host.ConfigWizard.exe to set up the ECMA Connector Host configuration.
  1. A new window appears with a list of connectors. By default, no connectors will be present. Select **New connector**.
- 1. Specify the management agent XML file that was exported from MIM Sync earlier. Continue with the configuration and schema-mapping instructions from the section "Configure a connector."
+ 1. Specify the management agent XML file that was exported from MIM Sync earlier. Continue with the configuration and schema-mapping instructions from the section "Create a connector" in either the [provisioning users into SQL based applications](on-premises-sql-connector-configure.md#create-a-generic-sql-connector) or [provisioning users into LDAP directories](on-premises-ldap-connector-configure.md#configure-a-generic-ldap-connector) articles.
 
 ## Next steps
 
-- [App provisioning](user-provisioning.md)
-- [Generic SQL connector](on-premises-sql-connector-configure.md)
+- Learn more about [App provisioning](user-provisioning.md)
+- [Configuring Azure AD to provision users into SQL based applications](on-premises-sql-connector-configure.md) with the Generic SQL connector
+- [Configuring Azure AD to provision users into LDAP directories](on-premises-ldap-connector-configure.md) with the Generic LDAP connector
@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 06/22/2021
+ms.date: 04/07/2022
 
 ms.author: BaSelden
 author: BarbaraSelden
@@ -64,7 +64,7 @@ If you are already using Conditional Access to determine when users are prompted
 As users are migrated to cloud authentication, they will start using Azure AD MFA as defined by your existing Conditional Access policies. 
 They won’t be redirected to AD FS and MFA Server anymore.
 
-If your federated domain(s) have SupportsMFA set to false, you are likely enforcing MFA on AD FS using claims rules. 
+If your federated domain(s) have the [federatedIdpMfaBehavior](/graph/api/resources/federatedIdpMfaBehavior?view=graph-rest-beta) set to `enforceMfaByFederatedIdp` or **SupportsMfa** flag set to `$True` (the **federatedIdpMfaBehavior** overrides **SupportsMfa** when both are set), you are likely enforcing MFA on AD FS using claims rules. 
 In this case, you will need to analyze your claims rules on the Azure AD relying party trust and create Conditional Access policies that support the same security goals.
 
 If you need to configure Conditional Access policies, you need to do so before enabling staged rollout. 
 
@@ -4,7 +4,7 @@ description: Step-by-step guidance to move from Azure MFA Server on-premises to
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 06/22/2021
+ms.date: 04/07/2022
 ms.author: BaSelden
 author: BarbaraSelden
 manager: martinco
@@ -168,33 +168,91 @@ Once you've configured the servers, you can add Azure AD MFA as an additional au
 
 ![Screen shot showing the Edit authentication methods screen with Azure MFA and Azure Mutli-factor authentication Server selected](./media/how-to-migrate-mfa-server-to-azure-mfa-user-authentication/edit-authentication-methods.png)
 
-## Prepare Azure AD and implement
+## Prepare Azure AD and implement migration
 
-### Ensure SupportsMFA is set to True
+This section covers final steps before migrating user phone numbers. 
 
-For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider. Each federated domain in Azure AD has a SupportsMFA flag. When the SupportsMFA flag is set to True, Azure AD redirects users to MFA on AD FS or another federation providers. For example, if a user is accessing an application for which a Conditional Access policy that requires MFA has been configured, the user will be redirected to AD FS. Adding Azure AD MFA as an authentication method in AD FS, enables Azure AD MFA to be invoked once your configurations are complete.
+### Set federatedIdpMfaBehavior to enforceMfaByFederatedIdp
 
-If the SupportsMFA flag is set to False, you're likely not using Azure MFA; you're probably using claims rules on AD FS relying parties to invoke MFA.
+For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider. Each federated domain has a Microsoft Graph PowerShell security setting named **federatedIdpMfaBehavior**. You can set **federatedIdpMfaBehavior** to `enforceMfaByFederatedIdp` so Azure AD accepts MFA that's performed by the federated identity provider. If the federated identity provider didn't perform MFA, Azure AD redirects the request to the federated identity provider to perform MFA. For more information, see [federatedIdpMfaBehavior](/graph/api/resources/federatedIdpMfaBehavior?view=graph-rest-beta&preserve-view=true).
 
-You can check the status of your SupportsMFA flag with the following [Windows PowerShell cmdlet](/powershell/module/msonline/get-msoldomainfederationsettings):
+>[!NOTE]
+> The **federatedIdpMfaBehavior** setting is an evolved version of the **SupportsMfa** property of the [Set-MsolDomainFederationSettings MSOnline v1 PowerShell cmdlet](/powershell/module/msonline/set-msoldomainfederationsettings). 
+
+For domains that have already set the **SupportsMfa** property, these rules determine how **federatedIdpMfaBehavior** and **SupportsMfa** work together:
+
+- Switching between **federatedIdpMfaBehavior** and **SupportsMfa** is not supported.
+- Once **federatedIdpMfaBehavior** property is set, Azure AD ignores the **SupportsMfa** setting.
+- If the **federatedIdpMfaBehavior** property is never set, Azure AD will continue to honor the **SupportsMfa** setting.
+- If neither **federatedIdpMfaBehavior** nor **SupportsMfa** is set, Azure AD will default to `acceptIfMfaDoneByFederatedIdp` behavior.
+
+You can check the status of **federatedIdpMfaBehavior** by using [Get-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdomainfederationconfiguration?view=graph-powershell-beta&preserve-view=true).
 
 ```powershell
-Get-MsolDomainFederationSettings –DomainName yourdomain.com
+Get-MgDomainFederationConfiguration –DomainID yourdomain.com
 ```
 
-If the SupportsMFA flag is set to false or is blank for your federated domain, set it to true using the following Windows PowerShell cmdlet:
+You can also check the status of your **SupportsMfa** flag with [Get-MsolDomainFederationSettings](/powershell/module/msonline/get-msoldomainfederationsettings):
 
 ```powershell
-Set-MsolDomainFederationSettings -DomainName contoso.com -SupportsMFA $true
+Get-MsolDomainFederationSettings –DomainName yourdomain.com
+```
+
+The following example shows how to set **federatedIdpMfaBehavior** to `enforceMfaByFederatedIdp` by using Graph PowerShell. 
+
+#### Request
+<!-- {
+  "blockType": "request",
+  "name": "update_internaldomainfederation"
+}
+-->
+``` http
+PATCH https://graph.microsoft.com/beta/domains/contoso.com/federationConfiguration/6601d14b-d113-8f64-fda2-9b5ddda18ecc
+Content-Type: application/json
+{
+  "federatedIdpMfaBehavior": "enforceMfaByFederatedIdp"
+}
+```
+
+
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+  "blockType": "response",
+  "truncated": true,
+  "@odata.type": "microsoft.graph.internalDomainFederation"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+{
+  "@odata.type": "#microsoft.graph.internalDomainFederation",
+  "id": "6601d14b-d113-8f64-fda2-9b5ddda18ecc",
+   "issuerUri": "http://contoso.com/adfs/services/trust",
+   "metadataExchangeUri": "https://sts.contoso.com/adfs/services/trust/mex",
+   "signingCertificate": "MIIE3jCCAsagAwIBAgIQQcyDaZz3MI",
+   "passiveSignInUri": "https://sts.contoso.com/adfs/ls",
+   "preferredAuthenticationProtocol": "wsFed",
+   "activeSignInUri": "https://sts.contoso.com/adfs/services/trust/2005/usernamemixed",
+   "signOutUri": "https://sts.contoso.com/adfs/ls",
+   "promptLoginBehavior": "nativeSupport",
+   "isSignedAuthenticationRequestRequired": true,
+   "nextSigningCertificate": "MIIE3jCCAsagAwIBAgIQQcyDaZz3MI",
+   "signingCertificateUpdateStatus": {
+        "certificateUpdateResult": "Success",
+        "lastRunDateTime": "2021-08-25T07:44:46.2616778Z"
+    },
+   "federatedIdpMfaBehavior": "enforceMfaByFederatedIdp"
+}
 ```
 
-This configuration allows the decision to use MFA Server or Azure MFA to be made on AD FS.
 
 ### Configure Conditional Access policies if needed
 
 If you use Conditional Access to determine when users are prompted for MFA, you shouldn't need to change your policies.
 
-If your federated domain(s) have SupportsMFA set to false, analyze your claims rules on the Azure AD relying party trust and create Conditional Access policies that support the same security goals.
+If your federated domain(s) have SupportsMfa set to false, analyze your claims rules on the Azure AD relying party trust and create Conditional Access policies that support the same security goals.
 
 After creating conditional access policies to enforce the same controls as AD FS, you can back up and remove your claim rules customizations on the Azure AD Relying Party.
 
@@ -300,7 +358,7 @@ Detailed Azure MFA registration information can be found on the Registration tab
 
 ![Image of Authentication methods activity screen showing user registrations to MFA](./media/how-to-migrate-mfa-server-to-azure-mfa-with-federation/authentication-methods.png)
 
-   
+
 
 ## Clean up steps